cbcvebase.
CVE-2025-64459
published 2025-11-05

CVE-2025-64459: An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and…

PriorityP279critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EXPLOIT
EPSS
19.14%
97.0th percentile
An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Affected

7 ranges
VendorProductVersion rangeFixed in
debianpython-django< python-django 3:3.2.25-0+deb12u1 (bookworm)python-django 3:3.2.25-0+deb12u1 (bookworm)
djangoprojectdjango>= 0 < 4.2.264.2.26
djangoprojectdjango>= 4.2 < 4.2.264.2.26
djangoprojectdjango>= 5.0a1 < 5.1.145.1.14
djangoprojectdjango>= 5.1 < 5.1.145.1.14
djangoprojectdjango>= 5.2 < 5.2.85.2.8
djangoprojectdjango>= 5.2a1 < 5.2.85.2.8

Detection & IOCsextracted from sources · hover to see the quote

url/api/users?
command_connector=OR
command_negated=True
commandis_superuser=True
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Privilege Escalation via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_negated|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065701; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Django Authentication Bypass via SQLi (CVE-2025-64459)"; flow:established,to_server; http.uri; content:"/api/users|3f|"; fast_pattern; content:"_connector|3d|OR"; content:"is_superuser|3d|True"; http.method; content:"GET"; reference:url,www.endorlabs.com/learn/critical-sql-injection-vulnerability-in-django-cve-2025-64459; reference:cve,2025-64459; classtype:web-application-attack; sid:2065699; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_11_07, cve CVE_2025_64459, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence Medium, signature_severity Major, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_07, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP GET requests to /api/users with _connector=OR and is_superuser=True query parameters — indicative of authentication bypass via SQLi (ET sid:2065699)
  • Detect HTTP GET requests to /api/users with _negated=True query parameter — indicative of privilege escalation via SQLi (ET sid:2065701)
  • The exploit POC sends a POST request with a 'search' field containing the injected _connector value; monitor for POST bodies containing SQL operator strings (OR 1=1 OR, AND 1=0 AND, OR 'a'='a' OR) in the search parameter
  • The vulnerability is triggered via dictionary expansion as the _connector argument to QuerySet.filter(), QuerySet.exclude(), QuerySet.get(), or Q(); audit application code for user-controlled input reaching these Django ORM methods
  • ·The Snort/ET rules use TLSDecrypt metadata — they will only fire on decrypted TLS traffic; deploy with SSL inspection (SSLDecrypt) enabled for full coverage
  • ·The ET rules target the specific URI pattern /api/users?; applications exposing the vulnerable QuerySet methods at different endpoints will not be detected by these rules without customisation
  • ·The PoC exploit requires the target application to expose executed SQL in its response (e.g., via debug mode or custom template) for result parsing; real-world exploitation does not require this
  • ·Earlier, unsupported Django series (5.0.x, 4.1.x, 3.2.x) were not evaluated and may also be affected; detection and patching scope should not be limited to the three confirmed version ranges

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
osv9.1CRITICAL
vendor_debian9.1CRITICAL
vendor_redhat9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.